Querying Like a Pro in Arkime: Getting the Most Out of Arkime Viewer: Beyond the Basics

If you’ve started using Arkime (formerly Moloch), you already know it's a powerful tool for digging deep into packet captures and indexed network traffic.

And trust me, once you get comfortable with Arkime's search language, it feels less like digging through data and more like interrogating the network. 🕵️‍♀️

----------------------------------------------------------------------------------------------------------

🧠 First: What Are We Even Searching?

In Arkime, you’re not just searching raw packets like in Wireshark. You're querying SPI data — Session Profile Information. It's metadata extracted from full PCAP captures that’s been indexed for fast retrieval. This means you’re asking questions like:

• “Which sessions involved DNS lookups for ‘google’?”

• “Did anyone POST data to a shady site?”

• “Who used TLS but without Diffie-Hellman?”

----------------------------------------------------------------------------------------------------------

✨ Query Language 101 (Way Simpler Than It Looks)

Arkime has its own mini search language. Don’t worry, it’s not too weird. Here’s how it works:

Example:

host.dns == *google* && http.method == POST

This finds DNS sessions with “google” in the hostname AND HTTP POST requests — maybe signs of data exfiltration?

----------------------------------------------------------------------------------------------------------

🔍 Let's Talk Field Types (Because This Changes How You Search)

Arkime fields come in different types — and you search each a little differently.

🧾 String Fields

These are your domains, URIs, methods, headers, etc.

• Tokenized: Arkime breaks strings up by dots, slashes, and dashes.

  • So www.cyberengage.org/becomes: www, cyberengage, org, and www.cyberengage.org

  
  

• Wildcards:

  • * = any characters

  • ? = single character→ http.uri == "www.cyberengage.*" matches .org, .edu, .com, etc.

  
  

• Lists:

  • Want OR logic quickly? Use brackets:

  http.uri == [login, reset, password]

• Regex:

  • Use /regex/ style for advanced pattern matching

  host.http == /.*\cyberengage\.com/

🌐 IP Address Fields

You can match by:

• Exact IPs: ip.dst == 192.168.1.10

• CIDR: ip.src == 10.0.0.0/8

• With ports: ip.dst == 8.8.8.8:53

🔢 Numeric Fields

• Standard comparisons work: >, <, >=, !=

src.port >= 10000

📅 Date Fields

Yes, you can time travel:

timestamp >= "2024-07-01 00:00:00"

Or go relative like:

timestamp >= now-24h

🦉 Helpful Stuff Built Right In

🧠 Autocomplete

Start typing host in the search bar and Arkime gives you suggestions like:

• host.dns

• host.http

• host.tls

This is amazing when you’re not sure of the exact field name.

🦉 The Owl Button

Top-left corner of the interface = Arkime's Owl. Click it anytime to get quick help, field lists, and syntax reminders.

📈 The Viewer UI – It’s Not Just a Table

Each row in the interface = a session (not an individual packet). This is important. Arkime combines both sides of a conversation into one entry.

You’ll see:

• Timestamps

• Byte/packet counts

• Protocols

• Directional traffic graphs (red vs blue = client vs server)

You can:

• Click the green plus sign to expand any session

• Extract PCAPs of the session instantly

• Switch views to show packets, bytes, or session summaries

🎯 Quick Query Examples (Copy-Paste Friendly)

• Find all DNS requests containing “google”

host.dns == cyberengage

• All POST requests to Home Depot domains

http.method == POST && host.http == cyberengage.org

• TLS sessions that don’t use Diffie-Hellman

tls.cipher == EXISTS! && tls.cipher != DHE

• Any session where a TLS certificate was present

cert.issuer.cn == EXISTS!

• Match IP in range with port

ip.dst == 192.168.1.0/24:443

----------------------------------------------------------------------------------------------------------

Welcome to the real power of Arkime — the Viewer interface. This is where packet forensics turns visual, interactive, and actually fun.

🔓 “Unrolling” a Session — No More Packet-by-Packet Misery

Click that little green or blue “+” icon on any session row. Boom. You just “unrolled” the session.

Now you’re looking at:

• All the SPI (Session Profile Information) fields Arkime extracted

• A breakdown of client and server metadata

• Easy-to-click fields that build your next search for you

This is Arkime’s secret sauce. You’re not parsing hex dumps or scrolling through TCP streams — you’re getting parsed, indexed, clickable context.

----------------------------------------------------------------------------------------------------------

📦 No PCAP Left Behind (Even If You Delete It)

• IPs

• DNS names

• TLS info

• HTTP headers

• And more…

…even if the raw packets are long gone. That's thanks to Elasticsearch, which is storing and indexing all that juicy metadata.

----------------------------------------------------------------------------------------------------------

🎨 Visual Packet Direction — Just Like Wireshark (But Better)

If the original PCAP is still available and not locked by permissions, Arkime shows you client-server packet flows using colors:

• 🔵 Blue = client → server

• 🔴 Red = server → client

This helps you see session direction at a glance — useful when you're dealing with command-and-control traffic, exfiltration, or handshake behaviors.

----------------------------------------------------------------------------------------------------------

🧪 Decode & Decompress — On the Fly

Arkime lets you uncompress responses directly in the browser — just click the “Uncompress” button.

Same goes for files and images:

• Click “Show Images & Files”

• Arkime will display images right inside the UI

• Not an image? You’ll get a download link, but it forces a .pellet extension to keep things safe — no accidental malware clicks 👀

This makes Arkime way more analyst-friendly. No need to carve files manually — the UI helps surface artifacts you care about.

----------------------------------------------------------------------------------------------------------

🔗 “Connections” Tab — Visualize Relationships, Not Just Results

The Connections tab lets you build visual relationships between any two data points. You can pair:

• ip.src with host.dns

• ip.src with ip.dst

• smb.user with smb.fn (username vs. accessed file)

• Anything you want — as long as it's in the SPI

• Who talked to whom

• How often

• Which IPs resolved which domains

• Which users accessed which files

You can hover to see session counts, bytes, packets... or even drag nodes to explore visually. It's like building your own mini threat intel map.

----------------------------------------------------------------------------------------------------------

🔍 The Hunt Tab — Search Inside Packets, Not Just Metadata

Most of Arkime’s power is in SPI — but sometimes, you need to dig deeper. That’s where Hunt comes in.

What is a “Hunt”?

It’s a background task that scans the actual packet data (raw PCAP) for matches, not just metadata.

Example use cases:

• Searching inside payloads for malware signatures

• Finding credentials

• Looking for file fragments or strings

Hunt Options You Can Customize:

• How many packets per session to search

• Reassembly (streamed) or per-packet inspection

• Direction (client→server, server→client, or both)

• Match method (literal string, regex, etc.)

Once the hunt finishes:

• It adds huntName and huntId to the session SPI

• Even if the PCAP is deleted later, the match stays searchable!

----------------------------------------------------------------------------------------------------------

🧰 Final Thoughts: Why This Matters

When you're dealing with mountains of network traffic, the difference between pain and productivity often comes down to how your tools surface data.

Once you learn the basic search syntax, Arkime becomes insanely powerful. You're no longer swimming in raw packets — you're running smart, targeted queries and extracting meaningful results fast.

-----------------------------------------------Dean------------------------------------------------------